Oman: Latest developments in data protection and cybersecurity

This article first appeared on Dataguidance

Development of a draft Data Protection Law

The Oman Information Technology Authority (“ITA”) announced in 2017 that it was developing a data protection law. However, the law remains a draft without a clear indication of when it will come into force. It was speculated that if approved and signed into law, the law will grant powerful rights to individuals in Oman, enabling them to exercise GDPR-style levels of control over their personal data, for example by giving individuals the right to:

• object to the processing of their personal data;
• demand access to any personal data about them held by any organisation in Oman;
• demand that any mistakes in this data are corrected; and
• demand that this data is completely erased if they wish.

The ITA went as far as to hold public consultation sessions to discuss this draft law and seek feedback from members of the public on its contents, but limited further developments have since occurred. 

In July 2020 the State Council held its eighth ordinary session of the first annual sitting for the seventh term where it discussed the ‘Personal Data Protection Draft Law’, noting the importance of the draft law in light of the ongoing technological developments and digital challenges. Hon. Dr. Rashid bin Salim bin Rashid al Badi, Committee Head of the Legal Committee of the Council, stated that the draft law contains 35 articles divided into five chapters as follows:

1. Definitions and general provisions;
2. Tasks and powers of the Ministry of Technology and Communications;
3. Rights of individuals with regards to their personal data; 
4. Obligations of the controller and processor handling the processing of personal data; and
5. Penalties for violating the provisions of the law.

Despite providing previously unknown detail on the draft law, no reports on the timelines for promulgation of the draft law have been reported. 

A limited number of other laws in Oman relate to the use of personal information and cybersecurity, however these are certainly not the equivalent of bespoke data protection laws such as the GDPR.

The Cyber Crime Law

The Cyber Crime Law (Royal Decree No 12 of 2011) seeks to address a wide array of illegal activities involving a computer device, computer system or network. It considers various acts as cybercrimes and backs violations of such acts with robust penalties in the form of imprisonment and fines.

The Cyber Crime Law also contains limited provisions with respect to personal data protection, including making it an offence to violate the privacy of individuals using technology. It does not however impose any obligations on those who collect personal data.

The Electronic Transactions Law

The Electronic Transactions Law (Royal Decree No. 69 of 2008), which is based largely on the UN Model Laws relating to e-commerce and electronic signatures, contains limited provisions relating to the processing of personal data, it does however include some requirements relating to the obtaining, retention and dissemination of personal data. However, this law only applies to transactions performed between parties who have agreed to perform their transactions electronically and therefore its narrow data protection provisions do not apply to those who collect personal information outside the scope of this law.

Sectoral laws

Limited data protection and cybersecurity provisions can also be found in a number of sectoral laws across the telecommunications, financial and healthcare industries.

• Under Resolution No. 113 of 2009 issuing Regulations on Protection of the Confidentiality and Privacy of Beneficiary Data issued pursuant to Royal Decree 30 of 2002 (The Telecommunications Law), following the written approval of a customer, a telecom service provider (TSP) is permitted to share customer personal data with any of its subsidiaries or with other companies. Under such circumstances, the TSP is obliged to guarantee not to use customer data for any purpose other than the specified purposes and within the permissible limits. It is not clear whether this would include sharing the data with third parties outside of Oman and therefore consequently permit a cross-border transfer of such data.
• The Banking Law (Royal Decree No. 114 of 2000) contains certain limited provisions covering the protection of customer information in the banking context. All licensed banks, including their directors, officers, managers and employees are prohibited from disclosing customer information without the customer's consent, unless required to do so under Oman law or instructed to do so by the Central Bank of Oman.
• The Healthcare Law (Royal Decree No. 75 of 2019) contains provisions surrounding the disclosure of patient information. It is stated that patient information must not be shared with any person until the patient has provided their written consent to do so. Limited exceptions exist to this rule such as where disclosure is required to share relevant patient information with health insurance companies.

Given the latest developments concerning data protection and cybersecurity in Oman, with the issuance of Royal Decree No. 64 of 2020 establishing the Cyber Defense Centre, and the latest discussions concerning the Personal Data Protection Draft Law, it seems Oman has data protection and cybersecurity firmly on the agenda, and that further development in this area is likely in the coming months.